Penetration Testing mailing list archives
Knowledge shared
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Fri, 1 Feb 2002 00:44:27 +1300
Ok so I have some thoughts. No official format. 1) SQL INJECTION "SQL injection does not work with stored procedures"...Shakes pear 1654 example: X = WEB VARIABLE = INTEGER X = 10 EXEC MY_STOREDPROCEDURE X = EXEC MY_STOREDPROCEDURE 10 ~ X = 10;EXEC MASTER..XP_CMDSHELL'' EXEC MY_STOREDPROCEDURE X = 10;EXEC MASTER..XP_CMDSHELL'' 2) SQL TIP SET NOEXEC = Compiles each query but does not execute it. If 007 knowns the field names used in a web page creation then 007 can obtain information from the second query. 3) http://www.microsoft.com/technet/security/bulletin/MS01-060.asp Of course any tester that obtains sql injection capabilities on a test site can abuse this if the test site is not patched. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Knowledge shared Brett Moore (Jan 31)